Why can I not ping my EC2 instance when I've set up the VPC and EC2 via Terraform?

1
votes

I have a setup via Terraform which includes a VPC, a public subnet, and an EC2 instance with a security group. I am trying to ping the EC2 instance but get timeouts.

A few things I've tried to ensure:

  • the EC2 is in the subnet, and the subnet is routed to internet via the gateway

  • the EC2 has a security group allowing all traffic both ways

  • the EC2 has an elastic IP

  • The VPC has an ACL that is attached to the subnet and allows all traffic both ways

I'm not sure what I missed here.

My tf file looks like (edited to reflect latest changes):


resource "aws_vpc" "foobar" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_internet_gateway" "foobar_gateway" {
  vpc_id = aws_vpc.foobar.id
}

/*
Public subnet
*/
resource "aws_subnet" "foobar_subnet" {
  vpc_id = aws_vpc.foobar.id
  cidr_block = "10.0.1.0/24"
}

resource "aws_route_table" "foobar_routetable" {
  vpc_id = aws_vpc.foobar.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.foobar_gateway.id
  }
}

resource "aws_route_table_association" "foobar_routetable_assoc" {
  subnet_id = aws_subnet.foobar_subnet.id
  route_table_id = aws_route_table.foobar_routetable.id
}

/*
Web
*/
resource "aws_security_group" "web" {
  name = "vpc_web"
  vpc_id = aws_vpc.foobar.id

  ingress {
    protocol    = -1
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    protocol    = -1
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_network_acl" "main" {
  vpc_id = aws_vpc.foobar.id
  subnet_ids = [aws_subnet.foobar_subnet.id]

  egress {
    protocol   = -1
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }

  ingress {
    protocol   = -1
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }
}

resource "aws_instance" "web-1" {
  ami = "ami-0323c3dd2da7fb37d"
  instance_type = "t2.micro"
  subnet_id = aws_subnet.foobar_subnet.id
  associate_public_ip_address = true
}

resource "aws_eip" "web-1" {
  instance = aws_instance.web-1.id
  vpc = true
}

Why can I not ping my EC2 instance when I've set up the VPC and EC2 via Terraform?

2
amazon-web-servicesamazon-ec2terraformamazon-vpc
Can you please check your VPC ACL's manually via the AWS console and see if traffic is allowed. Thankssogyals429
Does this answer your question? Unable ping AWS EC2 instanceEdcel Cabrera Vista
@EdcelCabreraVista it seems to be a different problem, as I do have security groups allowing all trafficJoe Bob

2 Answers

1
votes

Why are you adding the self parameter in your security group rule. The docs for terraform state that If true, the security group itself will be added as a source to this ingress rule. Which basically means that only that security group can access the instance. Please remove that and try.

EDIT: see comments below for steps that fixed the problem

-2
votes

Allowing all the traffic through security group would not enable ping to the instance. You need to add a specific security rule - image shown below to enable the ping request.

Security rule for enabling ping in EC2 instance Remember that AWS has made this rule separate to ensure that you know what you are doing. Being able to ping the instance from anywhere around the world leaves your instance vulnerable to people trying to find instance by bruteforcing various IP address.

Hence, it is advisable to carefully change this rule.